Today managers are faced with the challenge of ascertaining
consumer preferences for privacy, protecting sensitive customer
data, and complying with an evolving maze of regulations while
avoiding the threat of costly litigation. As society becomes
increasingly reliant upon computing, it is imperative that we
better comprehend consumer attitudes toward the handling of
personal data and the role that technology can play in enhancing
rather than diminishing privacy.
My research is aimed at advancing our understanding of information
privacy and security in a networked environment. The goal is
to contribute to the formulation of sound privacy and security
practices, and to the development of enabling technologies for
implementing these practices. To this end, my research has taken
two related streams:

(1)
Privacy and Security: Aligning Technology with Policy

IT
organizations need improved methods and tools to design, develop
and maintain systems that reflect customer privacy values and
protect personal data in the face of escalating threats to data
security. My research is focused on understanding how societal
values, law, and organizational policies can be integrated technically
into operational functioning of web-based systems. The goal
is to help organizations bring policies and systems into better
alignment. An early paper from this research stream is forthcoming
in Information and Software Technology and presents strategies
and techniques to ensure security/privacy compliance with system
requirements.

One outcome of my work (in collaboration with Drs. Annie Antón
and Colin Potts) has been to develop a statistically valid instrument
for measuring the privacy values of individuals. The research
entailed a large scale study of over 1,000 individuals that
analyzes perceptions of stakeholder privacy values, as well
as a content analysis of 80 website privacy policies. The analysis
led us to codify a set of heuristics for analyzing privacy policy
content and resulted in a paper in the Requirements Engineering
Journal. The heuristics were later used in our analysis of financial
privacy policies and compliance with the Gramm-Leach-Bliley
Act; this work is under peer review at IEEE Security and
Privacy. The stakeholder values dimension of the study gained
international recognition as the best paper awarded by the Organizational
and Communication Information Systems (OCIS) division of the
Academy of Management in 2003. An extended version of this award
winning paper is currently under peer review at IEEE Transactions
on Engineering Management.

(2)
Privacy Technology and the Law: Creating a Symbiotic Relationship

The rapid expansion of the Internet has heightened awareness
of the widespread collection, transfer and storage of personal
and sensitive data. As a result, legislatures and courthouses
worldwide have had to come to grips with a technological reality
that is no longer necessarily compatible with the legal and
regulatory system designed to oversee it. By working in collaboration
with legal and technical scholars, my research is aimed at reconciling
the gap between legislative efforts that seek to control the
flow of private data-the Health Information and Portability
Accountability Act, the Gramm-Leach-Bliley Act, the recently
proposed U.S. Online Privacy Protection Act, and European Union
Privacy Directives of 1995 and 2002-and what technology makes
possible.

This work has allowed us to analyze consumer privacy values
and corresponding technology implications within the context
of the current legal environment. It has also produced a functional
analysis that compares current privacy law in the European Union
with that in the United States. The analysis confirms that privacy
is more heavily protected in the EU than in the U.S. and provides
a foundation for an empirical investigation that compares commercial
privacy practices in the EU with those in the U.S. as they relate
to the legal environment. The practical relevance of this work
is noteworthy as organizations involved in international business
endeavors encounter conflicting expectations of privacy, as
well as inconsistent regulations across countries.